Sysdig Threat Report Reveals Victims Lose $53 for every $1 Cryptojackers Gain

SEPTEMBER 28, 2022


2022 Sysdig Threat Report

The 2022 Sysdig Cloud Native Threat Report breaks down supply chain attacks against containers and how geopolitical conflict is influencing attacker behaviors

SAN FRANCISCO — September 28, 2022 – According to a new report from Sysdig, the unified container and cloud security leader, it costs $430,000 in cloud bills for an attacker to generate $8,100 in cryptocurrency revenue. The report confirms that cryptojacking remains the primary motivation for opportunistic attackers, exploiting vulnerabilities and weak system configurations. Using worldwide honeynets, the Sysdig Threat Research Team (Sysdig TRT) took an extensive look at TeamTNT and geopolitical activities over the past nine months. Sysdig was able to draw conclusions on TeamTNT, the explosion of malicious payloads in Docker Hub, and the rise in DDos attacks after the Russian/Ukraine war began.

Blog: Sysdig 2022 Threat Report: Cloud Native Threats are Increasing and Maturing

The rapid shift to containers and cloud has driven an increase in opportunities for attackers to steal data, take advantage of assets, and gain illicit network access. It’s clear that container images have become a real attack vector, rather than a theoretical risk.

Key Findings
  • Supply chain attacks on containers spawn cryptominers. Cryptomining is the most common outcome of cloud- and container-based compromises. Attackers are littering public repositories, like Docker Hub, with dangerous container images that contain cryptominers, backdoors, and many other unwelcome surprises, often disguised as legitimate popular software. Thirty-six percent of malicious Docker Hub images contain cryptominers. Embedded secrets is the second most prevalent, which highlights the persistent challenges of secrets management.
  • Attackers make $1 for every $53 a victim is billed. TeamTNT is a notorious cloud-targeting threat actor that generates the majority of its criminal profits through cryptojacking. Sysdig TRT attributed more than $8,100 worth of cryptocurrency to TeamTNT, which was mined on stolen cloud infrastructure, costing the victims more than $430,000. The full impact of TeamTNT and similar entities is unknowable, but at $1 of profit for every $53 the victim is billed, the damage to cloud users is extensive.
  • DDoS attacks surge during conflict. The conflict between Russia and Ukraine includes a cyberwarfare component with government-supported threat actors and civilian hacktivists taking sides. The goals of disrupting IT infrastructure and utilities have led to a four-fold increase in DDoS attacks between 4Q21 and 1Q22.
  • Cybercriminals take sides, enabled by civilian volunteers. Over 150,000 volunteers have joined anti-Russian DDoS campaigns using container images from Docker Hub. The threat actors hit anyone they perceive as sympathizing with their opponent, and any unsecured infrastructure is targeted for leverage in scaling the attacks.
What people are saying
“Security teams can no longer delude themselves with the idea that ‘containers are too new or too ephemeral for threat actors to bother,’ said Stefano Chierici, Senior Security Researcher at Sysdig and Report Co-Author. “Attackers are in the cloud, and they are taking real money. The high prevalence of cryptojacking activity is attributable to the low risk and high reward for the perpetrators.”

“The Ukrainian government globally crowdsourced their cyberwar efforts. This was unprecedented, but it shows that digital transformation has extended well beyond classic IT use cases,” said Michael Clark, Director of Threat Research and Report Co-Author. “Willing and unwilling participants alike contributed their infrastructure to the DDoS disruptions.”


Media contact

Amanda McKinney Smith
[email protected]

Sysdig Logo

In the cloud, every second counts. Attacks move at warp speed, and security teams must protect the business without slowing it down. Sysdig stops cloud attacks in real time, instantly detecting changes in risk with runtime insights and open source Falco. Sysdig, rated #1 for CSPM in the Gartner Peer Insights “Voice of a Customer” report, correlates signals across cloud workloads, identities, and services to uncover hidden attack paths and prioritize real risk. From prevention to defense, Sysdig helps enterprises focus on what matters: innovation.

Sysdig. Secure Every Second.